1 / 54

Analytics and Detection through Coding, Scripting and Organizing Data

LAB1-R04. Matt Norris. Senior Analyst MKACyber. Mischel Kwon Brian Kwon . Founder, MKACyber Analyst, MKACyber @ mkacyber. Dilan Bellinghoven. SOC Analyst MKACyber. David Smith. QA Manager MKACyber.

archer
Download Presentation

Analytics and Detection through Coding, Scripting and Organizing Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LAB1-R04 Matt Norris Senior Analyst MKACyber Mischel Kwon Brian Kwon Founder, MKACyber Analyst, MKACyber @mkacyber Dilan Bellinghoven SOC Analyst MKACyber David Smith QA Manager MKACyber Analytics and Detection through Coding, Scripting and Organizing Data

  2. All hail the mighty SIEM! Alerts are just alerts How do we actually find patterns in the noise without drinking from the firehose? Most SIEM products are in some state of neglect

  3. So how do we get around this? Organize the operation via a use case and scenario framework Perform data and alert aggregation to see the signal through the noise Establish workflow and content management via efficient use of ticketing systems Automate basic analysis and enrichment

  4. Threat based approach. Context? • Most of the alerts you see in a modern SOC are missing one thing… Context! • Categorizing as you go helps you specifically know what you’re looking for, when to look for it, and make sure you have detection across the spectrum • Avoids detecting down the rabbit hole and getting tunnel vision

  5. But how do we tag things? • K. I. S. S. • Well... As simple as you can in this case • Use Cases: A category for activity on a system (pieces of knowledge, or scenarios) • Scenarios: Individual pieces of activity on a system • Content: Specific rules, signatures, and indicators written to detect scenarios

  6. Current MKA Use Cases • Web • Malware • High Value Targets • Unauthorized Access and Privilege Escalation • VPN • Data Exfiltration • Email • Traffic Anomalies • Vulnerability

  7. Break out of scenarios • Data Exfiltration • Unusual large upload • Unusual large download • Unusual large transfer during off business hours • Mismatched file headers • Unusual network session lengths • Matches on keywords/PII • Unusual large outbound traffic to suspect country • Unusually large outbound traffic to competitor/adversary

  8. Example: Widget Warehouse • You come on as a new analyst • They have a plethora of detection tools • A new site is coming online that has not been integrated into the larger security architecture, but has sensors deployed • IT has commented that they’ve seen a large amount of malware infections, but the SOC can’t do anything yet

  9. What can we do? • The Macarena? • Throw our hands up and get mad at the engineers? • SSH into the sensor and try and set up manual detection in the meantime?

  10. Example: File header EXE detection • Use Case: Malware • Scenario: EXE File header found in environment • Content: Snort rule aggregated by Signature and then destination IP • We’ll walk through this example in class

  11. Alert aggregation Stack and Sort to make patterns manageable What do we care about the data?

  12. Wouldn’t this be nicer?

  13. Or this? • Top 25 Snort Exe events: cat alert.fast.maccdc2012_00000.pcap | awk -F"\[**\]" '{print $3;}' | sed -e 's/\[$//' -e 's/^\]//' | grep 'exe' | sort | uniq -c | sort -rn | head -25 105 [1:2059:1] WEB-MISC MsmMask.exe access 105 [1:2058:1] WEB-MISC MsmMask.exe attempt 82 [1:2326:3] WEB-IIS sgdynamo.exe access 82 [1:1610:11] WEB-CGI formmail arbitrary command execution attempt 69 [1:809:11] WEB-CGI whois_raw.cgi arbitrary command execution attempt 66 [1:2018403:7] ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe 65 [1:1165:9] WEB-MISC Novell Groupwise gwweb.exe access 47 [1:832:11] WEB-CGI perl.exe access 47 [1:2019714:2] ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 47 [1:1648:7] WEB-CGI perl.exe command attempt 44 [1:1614:8] WEB-MISC Novell Groupwise gwweb.exe attempt 42 [1:1158:10] WEB-MISC windmail.exe access 42 [1:100000217:1] COMMUNITY WEB-MISC man2web cmd exec attempt 41 [1:2241:5] WEB-MISC cwmail.exe access 41 [1:1654:6] WEB-CGI cart32.exe access 41 [1:1536:8] WEB-CGI calendar_admin.pl arbitrary command execution attempt 37 [1:1762:5] WEB-CGI phf arbitrary command execution attempt 37 [1:1547:11] WEB-CGI csSearch.cgi arbitrary command execution attempt 21 [1:989:11] BACKDOOR sensepost.exe command shell attempt 21 [1:889:10] WEB-CGI ppdscgi.exe access 21 [1:2244:4] WEB-MISC VsSetCookie.exe access 21 [1:1655:6] WEB-CGI pfdispaly.cgi arbitrary command execution attempt 21 [1:1595:10] WEB-IIS htimage.exe access 7 [1:962:13] WEB-FRONTPAGE shtml.exe access 7 [1:2010704:8] ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt

  14. Emerging Threat Hit on “.exe” cat alert.fast.maccdc2012_00000.pcap | grep 'ET TROJAN GENERIC Likely Malicious Fake IE Downloading ‘.exe' | awk -F"\ " '{split($23,a,":");print " " a[1] " -> " $25;}' | sort | uniq -c | sort –rn 50 192.168.202.110 -> 192.168.27.203:8080 16 192.168.202.110 -> 192.168.27.102:3128 cat ../http.log | grep 192.168.202.110 | grep "192.168.27.203\t8080" | wc –l 17894 cat../http.log | grep 192.168.202.110 | grep "192.168.27.102\t3128" | wc–l 3663 Connections to two hosts Lots of connections between the hosts

  15. Scanning… cat ../http.log | grep 192.168.202.110 | grep "192.168.27.102\t3128" | awk '{print$8 " " $10;}' | sort | uniq -c | sort -rn | head 541 GET / 22 GET /<IMG 12 GET /scripts/ 12 GET /cgi-bin/ 6 GET /index.jsp 4 GET /scripts/index.php 4 GET /index.php 4 GET /cgi-bin/index.php 4 GET /cgi-bin/index.cgi 4 GET /../../../../../../../../../../../../etc/passwd

  16. Scanning… cat ../http.log | grep 192.168.202.110 | grep "192.168.27.102\t3128" | awk'{print $8 " " $10;}' | sort | uniq -c | sort -rn | tail 1 GET ././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././../../../../../../../../ 1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 1 GET ..\\..\\..\\..\\..\\..\\windows\\win.ini 1 GET ..\..\..\..\..\..\winnt\win.ini 1 GET ..\..\..\..\..\..\windows\win.ini 1 GET ..\..\..\..\..\..\..\..\..\..\winnt\win.ini 1 GET ..\..\..\..\..\..\..\..\..\..\windows\win.ini 1 GET . 1 GET %. 1 CONNECT localhost:3141

  17. Another event cat alert.fast.maccdc2012_00000.pcap | grep 'ATTACK-RESPONSES Microsoft cmd.exe banner' 03/16-08:13:32.500000 [**] [1:2123:3] ATTACK-RESPONSES Microsoft cmd.exe banner [**][Classification:Successful Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.28.100:1138 -> 192.168.202.96:443 cat ../conn.log | grep -e '192.168.28.100\t1138\t192.168.202.96\t443' 1331903612.440000 CdDGxV32GCW7JfVHba 192.168.28.100 1138 192.168.202.96 443 tcp - 0.060000 104 0 S1 - 0 ShADa 3 232 2 88 (empty) 1331904353.160000 CCuhkk1UHaue9Hp6y4 192.168.28.100 1138 192.168.202.96 443 tcp - 66.440000 1814 225 SHR - 0 dDafA 12 2294 19 985 (empty) cat ../conn.log | grep '192.168.28.100' | ../send_recv_counter.pl 192.168.202.110 -> 192.168.28.100 103688 192.168.202.110 <- 192.168.28.100 172126 Potential cmd.exe traffic Lots of other traffic between the hosts ‘encrypted’ connections with not much traffic

  18. Multiple ways to skin the cat • Grep for “ EXE ” in the snort alerts • AWK destination IP • Sort and count unique lines (uniq) grep-i exe sample.pcap grep -i exe sample.pcap | awk-F '}' '{print $2}' | awk -F ' ' '{print $3}' | awk –F ':' '{print $1}' | grep -i exe sample.pcap | awk-F '}' '{print $2}' | awk -F ' ' '{print $3}' | awk –F ':' '{print $1}' | sort| uniq

  19. Poor cat • Grep for “ EXE ” in the snort alerts • CUT destination IP • Sort and count unique lines (uniq) grep-i exe sample.pcap grep -i exe sample.pcap | cut -d '{' -f 2 | cut-d ' ' -f 4 | cut -d ':' -f 1 grep -i exesample.pcap | cut -d '{' -f 2 | cut -d ' ' -f 4 | cut-d ':' -f 1 | sort| uniq -c

  20. Exercise • Basic Linux analysis on Snort logs • Entirely doable in PowerShell for the Windows-oriented • Example walkthrough of blackhole script

  21. Back to Widget Warehouse • We have all of this security architecture lying around… can we use any of it? • How about the big shiny JIRA box? • We can share with the rest of the SOC • Build on the knowledge base everyone else is using • Avoid reinventing the wheel • Gather all of your information in one useable and documentable place • But how do we talk to it? • Is it possible to correlate without a SIEM?

  22. How about Python? • Easier than most people think • You don’t actually need a full development team • Python isn’t the only option (we just like it)

  23. What are we trying to do? • Pull out the data • Organize the data • Put the Data in to JIRA

  24. How do we pull out the data? • Snort alert fast is just text. How do we find and organize the good bits?

  25. How do we pull out the data? • PyParsing– A quick, easy, and modular parser in Python • Snort_log_parser.py – Builds PyParsing object for Snort logs • Regex is fun, but not necessary 03/16-07:30:02.730000 [**] [1:2016141:2] ET INFO Exectuable Download from dotted-quad Host [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.202.79:50770 -> 17.172.224.47:80 snort_log_parser.py <PyParsing object> [['03/16-07:30:02.730000', '1:2016141:2', 'A Network Trojan was Detected', '1', 'TCP', '192.168.202.79', '50770', '17.172.224.47', '80']]

  26. Exercise 2a: Broken Parser 03/16-07:30:00.000000 [--] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) [--] [Category: Web Application Attack] [Priority: 1] {TCP} 192.168.202.79:50465 -> 192.168.229.251:80 03/16-07:30:00.000000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.202.79:50465 -> 192.168.229.251:80 Parser works with old log format: Doesn’t work with new log format: How do we fix it?

  27. Exercise 2a: Broken Parser • Exercise instructions: • Change directories to ~/exercise_2 • Open ~/exercise_2/snort_log_parser_broken.py • Test whether the log is being properly parsed (follow along) • [RSA@RSAMKA ~]$ cd exercise_2 • [RSA@RSAMKA ~]$ vim ~/exercise_2/snort_log_parser_broken.py

  28. Exercise 2a: Broken Parser • Once fixed, move it to ~/exercise_2/snort_parsing • [RSA@RSAMKA exercise_2]$ mv snort_log_parser_broken.py./snort_parser/snort_log_parser.py

  29. How do we map the data? 03/16-07:30:00.000000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50465 -> 192.168.229.251:80 03/16-07:30:00.010000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50467 -> 192.168.229.251:80 03/16-07:30:02.730000 [**] [1:952:6] WEB-FRONTPAGE author.exe access [**] ... 192.168.202.79:50770 -> 81.177.139.111:80 03/16-07:30:00.030000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50469 -> 192.168.229.251:80 03/16-07:30:00.040000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50471 -> 192.168.229.251:80 03/16-07:30:02.730000 [**] [1:2100952:8] GPL WEB_SERVER author.exe access [**] ... 192.168.202.79:50770 -> 166.62.112.150:80 03/16-07:30:00.050000 [**] [1:2102924:4] GPL NETBIOS SMB-DS repeated logon failure [**] ... 192.168.229.153:445 -> 192.168.202.79:55173 03/16-07:30:00.050000 [**] [1:2924:3] NETBIOS SMB-DS repeated logon failure [**] ... 192.168.229.153:445 -> 192.168.202.79:55173 03/16-07:30:02.730000 [**] [1:952:6] WEB-FRONTPAGE author.exe access [**] ... 192.168.202.79:50770 -> 166.62.112.150:80 03/16-07:30:00.050000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50473 -> 192.168.229.251:80 03/16-07:30:00.060000 [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] ... 192.168.27.25 -> 192.168.202.100 03/16-07:30:00.070000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50475 -> 192.168.229.251:80 03/16-07:30:00.080000 [**] [1:2009358:5] ET SCAN Nmap Scripting Engine User-Agent Detected ... 192.168.202.79:50477 -> 192.168.229.251:80 03/16-07:30:02.730000 [**] [1:952:6] WEB-FRONTPAGE author.exe access [**] ... 192.168.202.79:50770 -> 81.177.139.111:80 03/16-07:30:02.730000 [**] [1:2100952:8] GPL WEB_SERVER author.exe access [**] ... 192.168.202.79:50770 -> 166.62.112.150:80 03/16-07:30:02.730000 [**] [1:952:6] WEB-FRONTPAGE author.exeaccess [**] ... 192.168.202.79:50770 -> 166.62.112.150:80 { ”81.177.139.111” : [ “03/16-07:30:02.730000 [**] [1:952:6] WEB-FRONTPAGE author.exe access [**] ... 192.168.202.79:50770 -> 81.177.139.111:80” ], “166.62.112.150” : [ “03/16-07:30:02.730000 [**] [1:2100952:8] GPL WEB_SERVER author.exe access [**] ... 192.168.202.79:50770 -> 166.62.112.150:80”, “03/16-07:30:02.730000 [**] [1:952:6] WEB-FRONTPAGE author.exe access [**] ... 192.168.202.79:50770 -> 166.62.112.150:80” ] }

  30. How do we map the data? (cont’d) • How can we process our logs and find patterns? • Can we organize them for easier use in a later stage? • Yes we can! • With snort_mapping.py • Uses a parser object from previous exercise • Runs parser over data sample to create a JSON object with sorted, organized, structured, and beautiful data

  31. How do we map the data? (cont’d) • Step 1: Parse Snort alert log file snort_log_parser.py SnortParser Snort alert log file (sample.pcap) snort_mapping.py DEST_IP_ALERTS_MAP # Create a PyParsing object for the Snort alert log file parser = snort_log_parser.SnortParser() # Parse logfile using parser and return array of # {dst_ip_1 : [alert_1, alert_2, ..., alert_n], # dst_ip_2 : [alert_1, alert_2, ..., alert_n], ...] mapping = snort_mapping.build_unique_dest_ips(parser, logfile)

  32. How do we insert data into JIRA? • JIRA.py • Iterates over the structured output (JSON) from the previous step • Gives a way to perform actions (maybe intel gathering) per ticket by creating a pipeline • AUTOMATE TIER ONE ALL THE TIME • JIRA ingests the JSON object via REST API to create one ticket per destination IP in JSON

  33. How do we insert data into JIRA? • Step 2: Use mapping and JIRA REST API to create one ticket per destination IP in JIRA JIRA REST API New tickets created in JIRA JIRA.py DEST_IP_ALERTS_MAP # Create JIRA tickets using JIRA REST API JIRA.transmit(creds, JIRA_domain, mapping)

  34. How do we insert data into JIRA? (cont’d) snort_log_parser.py New tickets created in JIRA 1 5 JIRA REST API SnortParser snort_mapping.py JIRA.py DEST_IP_ALERTS_MAP Snort alert log file 3 { dst_ip_1 : [ alert_1, alert_2 ], dst_ip_2 : [ alert_1, alert_2 ], … } 2 Open source intel for dest. IP stored in file Dest. IP osint.py (Additional Context) 4

  35. Exercise 2b: Put it all together • Change directories to snort_parsing • Get a fresh IP • Determine your VM’s IP address (ifconfig) • [RSA@RSAMKA exercise_2]$ cd snort_parsing • [RSA@RSAMKA snort_parsing]$ sudodhclient –r • [RSA@RSAMKA snort_parsing]$ sudodhclient

  36. Exercise 2b: JIRA setup • Run JIRA on your local machine • Using the IP from Step 1, type in your browser:http://<IP>:8080/ • Login using:Username: RSAPassword: mkarsa • If you get a “Base URL Error”, click the “update base URL” button in the pop-up box with the yellow banner • Feel free to explore a bit in JIRA

  37. Exercise 2b: Explore the program • In snort_parsing, open master.py • Be sure not to edit the code • If you accidentally edit the code, type “:q!” and press Enter(do not type the quotation marks) • Try to understand how each piece fits together • [RSA@RSAMKA exercise_2]$ vim master.py

  38. Exercise 2b: Try it for yourself • Run the script • Go to JIRA, select the “Issues” dropdown, and click “Search for Issues” to see the newly-created tickets • [RSA@RSAMKA snort_parsing]$ python master.pysample.pcap –u http://<IP>:8080/ -a RSA:rsamka

  39. Exercise 2b: Congratulations! • For you to try at home: • Open hub.py and add the missing code to make the program work • The module master.py is the solution to hub.py

  40. Data Enrichment • Analysis of data provided by tools is good, but that data is better when it has additional context! • Some classic examples of enrichment: • Network ranges (by organization, building, etc.) • User (hostname, organization, etc.) • OSINT (Alexa, reputation, NoD, etc.) • Net Defense (blocklists, greylists, etc.) • Analyst assistance (whitelists, previous tickets, etc.)

  41. But I want to use (Insert Tool Name Here) • Well how about Splunk? • Splunkloves to eat JSON • CSV lookups make things easy

  42. Splunk Lookup Tables • Spunk has several mechanisms for data enrichment: • Comma Separated Value (CSV) • External tool • Key/Value store • CSV is the easiest to work with initially since it is a simple mechanism that a lot of tools will import/export • Keep It Simple

  43. Basic Configuration status,status_description,status_type 100,Continue,Informational 101,Switching Protocols,Informational 200,OK,Successful 201,Created,Successful 202,Accepted,Successful … 300,Multiple Choices,Redirection 301,Moved Permanently,Redirection 302,Found,Redirection … 400,Bad Request,Client Error 401,Unauthorized,Client Error 402,Payment Required,Client Error 403,Forbidden,Client Error 404,Not Found,Client Error 405,Method Not Allowed,Client Error … 500,Internal Server Error,Server Error 501,Not Implemented,Server Error 502,Bad Gateway,Server Error 503,Service Unavailable,Server Error 504,Gateway Timeout,Server Error 505,HTTP Version Not Supported,Server Error [http_status] filename = http_status.csv http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/ConfigureCSVlookups • In their most basic form CSV lookup tables consist of a base lookup file that is stored in the ‘<appname>/lookup’ directory and then referenced through a ‘transforms.conf’ entry • These lookup tables can then be referenced through multiple mechanisms

  44. Two methods of populating ... | lookup http_status status OUTPUT status_description, status_type [http_log] LOOKUP-http_log_lookup = code AS status OUTPUT status_description status_type http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/ConfigureCSVlookups • The results are enriched through defining key/value pairs to be inserted when a specified field in the dataset matches a specified field in the lookup table. • Two sample ways of performing these lookups are through the use of: • The ‘lookup’ search command. • When there is a match, the specified fields will be output into the result set • Automatic lookups through ‘props.conf’

  45. Example status,status_description,status_type 100,Continue,Informational 101,Switching Protocols,Informational 200,OK,Successful 201,Created,Successful 202,Accepted,Successful … 300,Multiple Choices,Redirection 301,Moved Permanently,Redirection 302,Found,Redirection … 400,Bad Request,Client Error 401,Unauthorized,Client Error 402,Payment Required,Client Error 403,Forbidden,Client Error 404,Not Found,Client Error 405,Method Not Allowed,Client Error … 500,Internal Server Error,Server Error 501,Not Implemented,Server Error 502,Bad Gateway,Server Error 503,Service Unavailable,Server Error 504,Gateway Timeout,Server Error 505,HTTP Version Not Supported,Server Error 192.168.2.20 - - [28/Jul/2006:10:27:10 -0300] "GET /cgi-bin/try/ HTTP/1.0" 200 3395 127.0.0.1 - - [28/Jul/2006:10:22:04 -0300] "GET / HTTP/1.0" 200 2216 127.0.0.1 - - [28/Jul/2006:10:27:32 -0300] "GET /hidden/ HTTP/1.0" 404 7218x.x.x.90 - - [13/Sep/2006:07:01:53 -0700] "PROPFIND /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:01:51 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587 http://ossec-docs.readthedocs.io/en/latest/log_samples/apache/apache.html • When the below data is ingested, it will be parsed and fields extracted. • In this example, the 7th field of the input is the HTTP status code • The config on the previous page will match against the first column of the lookup!

  46. OSINT Bash script • To assist analysis, we need more context • Open source intel (OSINT) script to the rescue! • Bash • More variations on cat skinning • Quick and dirty way to look up indicators from several vetted open sources • Written by another analyst doing work on their own • Retrofitted into this workflow to provide intel on our IPs

  47. How do we insert data into JIRA? (cont’d) snort_log_parser.py New tickets created in JIRA 1 5 JIRA REST API SnortParser snort_mapping.py JIRA.py DEST_IP_ALERTS_MAP Snort alert log file 3 { dst_ip_1 : [ alert_1, alert_2 ], dst_ip_2 : [ alert_1, alert_2 ], … } 2 Open source intel for dest. IP stored in file Dest. IP osint.py (Additional Context) 4

  48. “Common” Event Format (CEF) Attempt to standardize network/security event data into a single format Easily add new sources of event data to your existing scripts and decision making process.

  49. “Common” Event Format (CEF) "severity": "high", "label": "event", "type": "network", "cef": { "fileHash": "dae375687c520e06cb159887a37141bf", "requestURL": "www.adssa-org.1gb.ru", "destinationPort": "80", "sourcePort": "4286", "deviceDirection": "inbound", "destinationUserName": "Dan", "sourceAddress": "213.57.77.220" }, "update_time": "2017-01-11T19:11:09.992701Z", "hash": "f0053797a5e4509f4cc093b8e67f0259”, Goal: Your tools create data in an output format that is easily managed by one central system Gotcha: Don’t worry about conforming to the exact standard Easily stored in JSON, remember to structure to keep fields available for other information

  50. Security Automation and Orchestration Integrated Work Flow ENRICHMENT PHASE (OSINT TYPE TOOLS) Whois IP / URL Reputation, File Reputation ALERT PHASE snort_mapping.py Snort alert log file DEST_IP_ALERTS_MAP (IN CEF FORMAT) Playbook Decision: Malicious? Close Event with (automated) comment No Ingestion to Platform as Events with Artifacts Other data sources Yes Playbook Automation: Create Ticket Prompt User for Decision Block IP DNS Black-hole Execute specific “Playbook(s)” Based on Event Type

More Related